Configure IBM Db2 initially and request a client certificate

3min

Now that you have configured the CA and KMIP TLS server certificates, you must use IBM Db2 to request a client certificate. Attempting to import an existing client certificate that you did not generate by using a CSR from IBM Db2 results in an error.
Create the local keystore and request a CSR for the client certificate
1
On the server where you installed IBM Db2, create a working directory in the C: drive for your certificates (for example, C:\Certs).
2
Copy your root CA certificate into the folder.
3
Open a command line and run the following command to create the local key store:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -keydb -create -db C:\Certs\clientkeydb.p12 -pw safest -type pkcs12 -stash
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -keydb -create -db C:\Certs\clientkeydb.p12 -pw safest -type pkcs12 -stash
﻿
Modify the command with your working folder directory, desired key store file name and key store password.
4
Next, run the following command to import the root CA certificate into the local keystore:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -cert -add -db C:\Certs\clientkeydb.p12 -stashed -label Root -file C:\Certs\root.pem
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -cert -add -db C:\Certs\clientkeydb.p12 -stashed -label Root -file C:\Certs\root.pem
﻿
5
After you have imported the root CA certificate into the local keystore, run the following command to generate the CSR for the IBM Db2 client certificate:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -certreq -create -db C:\Certs\clientkeydb.p12 -stashed -label ibmdb2 -dn "CN=ibmdb2" -target C:\Certs\clientcert.csr -size 2048 -sigalg SHA256
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -certreq -create -db C:\Certs\clientkeydb.p12 -stashed -label ibmdb2 -dn "CN=ibmdb2" -target C:\Certs\clientcert.csr -size 2048 -sigalg SHA256
﻿
For future configuration, make note of the Label and Common Name of the client certificate. The name of the identity you create on the  must match the Common Name of the client certificate.
6
After generating the CSR for the IBM Db2 client certificate, use the configured storage medium to copy it to the .
Sign the IBM DB2 client certificate CSR
1
Log in to the  by using the default admin identities.
2
Go to PKI > Certificate Authorities and right-click the root CA certificate you created for this integration. Then, select Add Certificate > From Request.
3
Browse for the client CSR and select it. 
Certificate details populate in the Import Certificate window.
4
On the Subject DN and Basic Info tabs, leave all settings set to the default values.
5
On the V3 Extensions tab, set the Profile to TLS Client Certificate and select [ OK ].
The IBM Db2 client certificate now displays in the certificate tree.
Export the signed IBM DB2 client certificate
1
Right-click the signed IBM Db2 client certificate and select Export > Certificate(s).
2
On the Export Certificate window, change the encoding to PEM, specify a name for the file, and select [ Browse ].
3
Browse to where you want to save the certificate and select [ Open ].
4
Select [ OK ]. 
A message states that the file was successfully saved to the specified location.
5
Copy the client certificate to the working folder on the IBM Db2 server.
﻿
﻿

Updated 18 Jun 2024

Did this page help you?

Configure TLS certificates for mutual authentication

Create a role and identity on the KMES Series 3